Generally Available: site-to-site VPN connections with certificate authentication

Azure Site-to-Site VPN with digital certificate authentication provides an alternative to the traditional pre-shared key (PSK) model by using a certificate-based asymmetric trust model. In this configuration, Azure and the on-premises VPN device authenticate each other by using separate inbound and outbound certificates. The outbound authentication certificate is stored in Azure Key Vault and is accessed by the VPN Gateway through a user-assigned managed identity with the required Role-Based Access Control (RBAC) permissions. Because X.509 certificates use asymmetric keys and a trusted certificate chain to validate identity, this approach helps reduce the risk of impersonation and Internet Key Exchange (IKE) negotiation tampering. [Learn more](https://learn.microsoft.com/azure/vpn-gateway/site-to-site-certificate-authentication-gateway-about).